Multiperspective Malware Analysis Page

Welcome to the Cyber-TA
SRI's Multiperspective Malware Infection Analysis Page

UNCENSORED PAGE

<Click here: to download BotHunter>

02 October 2009
<prev> <next>

All data collection and analyses summarized in this page were 100% AUTO-GENERATED.

DEVELOPERS: Vinod Yegneswaran (SRI), Phillip Porras (SRI), Hassen Saidi (SRI)
Monirul Sharif (Georgia-Tech), Arvind Narayanan (University of Texas at Austin)

The data on this website is provided for research purposes only. It is provided
for your personal use only and is supplied AS IS, WITHOUT WARRANTY OF ANY KIND.
Use or reliance on this data is at your own risk.

Daily Summary Files: [DNS Lookups & Failed Connects] [ Attacker IPs ] [C&C Servers] [Binary Digests]
Cumulative Summary Files: [DNS Lookup Log] [Attacker IP Log] [C&C Server Log] [Antivirus Detection] [Code Segment Overlap]
[Behavioral Clusters] [Binary Digest Log]

[See Country Codes ]

Time
Victim
OS
Infection
Source
C&C
Server
DNS Lookups &
Failed Connects Infection
Port
Packet
Trace
Detection
Signatures
Infection
Chatter
BotHunter
Analysis
Behavioral
Cluster
Forensic
Logs
Antivirus
Labels
Packed Malware_Binary Unpacked egg.exe
Unpacked egg.asm
Packer PEID
Data Strings
Syscall Trace

T:00:08:00 WinXP 96.50.176.131 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
CALGARY, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
478 lines Yeah : 1.3
profile none summary
tarball 39 of 41 0ad3be7ff5
NEW 101339ea16 [0] none:none
PENinja S| none trace

T:00:49:00 WinXP 114.32.140.186 (HINET.NET):
CHTD CHUNGHWA TELECOM CO. LTD,
TAIPEI, T'AI-PEI, TW. (DSL) 91.212.220.75:65520 EU:proxim.ircgalaxy.pl
CN:dl.guarddog2009.com
EU:gidromash.cn
EU:ottopay.cn
RO:195.210.41.194:3128
PL:195.222.115.218:3128
HU:195.56.103.166:3128
BR:200.171.58.81:3128
NL:212.142.72.166:3128
RU:217.23.182.150:3128
HK:219.77.230.53:3128
CA:24.78.179.226:3128
EU:77.38.194.175:3128
EU:78.139.172.151:3128
EU:78.139.178.198:3128
EU:78.84.197.182:3128
GB:87.248.129.4:3128
DK:87.57.6.103:3128
PL:87.99.47.164:3128
94.156.71.152:3128
94.176.85.29:3128
95.104.105.25:3128 445 pcap raw alerts
ruleset shell
ftp
irc
http
http
27 lines Yeah : 1.8
profile none summary
tarball 25 of 41
23 of 41
38 of 40
7 of 41 3a59e85036
NEW
5d721a4dee
NEW
7bc8d57d8c
NEW
c7830331fc
NEW 1f005cdcf4 [0]
6afc8cafab[0]
be025ab204[0]
7953649664[0] none:none
none:none
none:none
none:none
StarForce|
UPX|
none|none
tElock| none
none
none
none trace
trace
trace
trace

T:00:57:00 WinXP 219.88.181.245 (XTRA.CO.NZ):
TELECOM XTRA,
AUCKLAND, AUCKLAND, NZ. (DSL) n/a
RU:212.92.96.38:25
CN:218.93.205.30:65520
US:64.120.149.21:33254
US:64.191.104.197:19725
US:65.55.37.72:25
US:66.197.252.149:3954 445 pcap raw alerts
ruleset http
42 lines Argh : 0.3
profile none summary
tarball none none none none none none none

T:02:00:00 WinXP 211.245.103.188 (SONICANT.CO.KR):
THRUNET CO. LTD,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 91.212.220.75:65520 CN:proxima.ircgalaxy.pl
US:microsoft.com
CN:dl.guarddog2009.com
EU:gidromash.cn
EU:ottopay.cn
EU:193.110.77.122:3128
RO:195.210.41.194:3128
FR:212.233.227.43:3128
SE:213.226.126.80:3128
CN:221.12.89.137:80
EU:77.38.224.13:3128
EU:78.69.88.104:3128
GB:81.103.99.55:3128
IL:84.108.198.129:3128
ES:85.136.212.88:3128
HU:85.66.248.60:3128
RO:89.38.228.158:3128
EU:91.212.220.75:65520
93.116.227.123:3128
93.180.94.104:3128
94.240.163.13:3128 135 pcap raw alerts
ruleset irc
http
http
135 lines Yeah : 1.8
profile none summary
tarball 30 of 33
23 of 41
25 of 40
7 of 41
31 of 33 2ef9098242
NEW
5d721a4dee
NEW
6f3e0adc29
NEW
c7830331fc
NEW
d789c8d157
NEW de91d8b5d0 [0]
6afc8cafab[0]
1f005cdcf4[0]
7953649664[0]
5f6572479f[0] none:none
none:none
none:none
none:none
none:none
Armadillo|
UPX|
StarForce|
tElock|
PolyEnE| none
none
none
none
none trace
trace
trace
trace
trace

T:02:51:00 WinXP 67.8.56.42 (RR.COM):
ROAD RUNNER HOLDCO LLC,
APOPKA, FLORIDA, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:03:13:00 Win2K-f 60.249.37.106 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 34 of 38
35 of 38 38ed850a0e
NEW
b9297745a1
NEW 46990f37cd [0]
4294884d84[0] ASM:Graph
ASM:Graph
Armadillo|
tElock| lines=91
lines=64
embedded dns trace
trace

T:03:20:00 WinXP 202.80.166.122 (-):
ST TELEPORT PTE LTD TELEPORT OPERATOR IN SINGAPORE,
SINGAPORE, SINGAPORE, SG. (DSL) n/a EU:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com 445 pcap raw alerts
ruleset http
http
14 lines Yeah : 0.8
profile none summary
tarball 28 of 29 330eaa2da2
NEW none[3] none:none
ASPack| none trace

T:03:51:00 WinXP 79.163.114.50 (CENTERTEL.PL):
PTK CENTERTEL BROADBAND SERVICES,
WARSAW, WARSZAWA, PL. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 35 of 36 06a5e31b47
NEW 25e6e52787 [0] ASM:Graph
PolyEnE| lines=68 trace

T:05:05:00 Win2K-f 72.185.229.235 (RR.COM):
ROAD RUNNER HOLDCO LLC,
TAMPA, FLORIDA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
420 lines Yeah : 1.3
profile none summary
tarball 39 of 41 6df9986fa7
NEW 1f5d1108f6 [0] none:none
StarForce| none trace

T:05:16:00 WinXP 91.58.213.207 (T-DIALIN.NET):
DEUTSCHE TELEKOM AG,
DORTMUND, NORDRHEIN-WESTFALEN, DE. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 31 of 36 25bc0db7e3
NEW d172b5e90c [0] none:none
FASM| none trace

T:05:38:00 Win2K-f 76.202.0.150 (PACBELL.NET):
AT&T INTERNET SERVICES,
HOUSTON, TEXAS, US. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
59 lines Yeah : 1.3
profile none summary
tarball 33 of 33
8 of 33 53bfe15e91
NEW
b7082104e4
NEW 1473091351 [0]
c5b49e7b82[0] ASM:Graph
ASM:Graph
tElock|
tElock| lines=75
embedded dns
lines=41 trace
trace

T:06:03:00 WinXP 87.173.116.88 (T-DIALIN.NET):
DEUTSCHE TELEKOM AG,
BERLIN, BERLIN, DE. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 31 of 32 741e3b03b3
NEW none[0] none:none
none|none lines=61 trace

T:06:12:00 WinXP 174.6.21.151 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
WINNIPEG, MANITOBA, CA. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
76 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:06:52:00 WinXP 117.254.250.254 (STERLINGSTUDENTS.NET):
NIB (NATIONAL INTERNET BACKBONE),
NEW DELHI, DELHI, IN. (DSL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
3 lines Yeah : 1.3
profile none summary
tarball 40 of 41 eda3b7766c
NEW 7556343561 [0] none:none
PolyEnE| none trace

T:07:01:00 WinXP 78.250.70.34 (PROXAD.NET):
PROXAD INTERNET SERVICE PROVIDER IN FRANCE,
FR. (DSL) n/a RU:citi-bank.ru
RU:213.219.245.212:80 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 38 of 41 aa795fd953
NEW e9b133047a [0] none:none
PolyEnE| none trace

T:08:19:00 Win2K-f 208.125.40.153 (RR.COM):
ROAD RUNNER HOLDCO LLC,
ROCHESTER, NEW YORK, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:10:43:00 WinXP 115.69.139.124 (-):
ICL-NET-IN,
DELHI, DELHI, IN. (DIAL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 40 of 41 eda3b7766c
NEW 7556343561 [0] none:none
PolyEnE| none trace

T:14:09:00 WinXP 78.228.237.223 (PROXAD.NET):
PROXAD / FREE SAS,
PARIS, ILE-DE-FRANCE, FR. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 36 of 40 9b47736683
NEW 79ecd1a24c [0] none:none
none|none none trace

T:14:16:00 WinXP 12.72.29.219 (ATT.NET):
AT&T WORLDNET SERVICES,
WOODLAND HILLS, CALIFORNIA, US. (DIAL) n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
:www.proxy-socks.net
:wpad 445 pcap raw alerts
ruleset http
http
14 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
NEW none[0] none:none
ASPack| lines=281
embedded dns trace

T:14:55:00 WinXP 211.23.226.98 (-):
LIOU-TZUNG-YI-TC,
TAIPEI, T'AI-PEI, TW. (100Mbps) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 39 of 41
37 of 40 5d445c59d8
NEW
8a54950abb
NEW 892e12db7b [0]
f6b9e43917[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:16:01:00 WinXP 66.217.102.195 (MCLEODUSA.NET):
PAETEC COMMUNICATIONS INC,
SANFORD, FLORIDA, US. (DIAL) n/a 445 pcap raw alerts
ruleset shell
ftp
15 lines Yeah : 1.3
profile none summary
tarball 31 of 32 741e3b03b3
NEW none[0] none:none
none|none lines=61 trace

T:16:33:00 WinXP 203.220.145.82 (COMINDICO.COM.AU):
COMINDICO AUSTRALIA,
GOSFORD, NEW SOUTH WALES, AU. (DIAL) 213.219.245.212:80 RU:citi-bank.ru 445 pcap raw alerts
ruleset http
2 lines Yeah : 1.3
profile none summary
tarball 39 of 41 57e25f48ad
NEW 66bab1e5b1 [0] none:none
PolyEnE| none trace

16:33:00 WinXP 203.220.145.82 (COMINDICO.COM.AU):
COMINDICO AUSTRALIA,
GOSFORD, NEW SOUTH WALES, AU. (DIAL) n/a 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball none none none none none none none

T:18:06:00 WinXP 64.105.214.163 (COVAD.NET):
COVAD COMMUNICATIONS CO,
BURNSVILLE, MINNESOTA, US. (DSL) 67.43.236.66:8080 72.10.172.211:8080 :xx.enterhere.biz
CA:xx.ka3ek.com
:idfc.info
CA:67.43.226.242:8080
CA:67.43.236.66:8080 135 pcap raw alerts
ruleset irc
http
187 lines Yeah : 1.8
profile none summary
tarball 38 of 41 a894e6640a
NEW 2a62540340 [0] none:none
PolyEnE| none trace

T:18:36:00 Win2K-f 125.4.223.55 (ZAQ.NE.JP):
J:COM WEST CO. LTD,
TOKYO, TOKYO, JP. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
113 lines Yeah : 1.3
profile none summary
tarball 38 of 41
37 of 41 98d2778fd6
NEW
f676f3bf5b
NEW 9feea491cb [0]
0fba495fc4[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

19:13:00 Win2K-f 190.208.94.87 (-):
TELMEX CHILE S.A HFC,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) n/a US:www.maxmind.com
US:www.getmyip.org
US:getmyip.co.uk
:checkip.dyndns.org
208.78.70.70:80
US:65.254.39.170:80
US:67.15.94.80:80 445 pcap raw alerts
ruleset http
2 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:19:15:00 WinXP 83.132.237.29 (CPE.NETCABO.PT):
TVCABO-PORTUGAL CABLE MODEM NETWORK,
AVEIRO, AVEIRO, PT. (DSL) n/a :moscow-advokat.ru 445 pcap raw alerts
ruleset http
1 line Yeah : 0.8
profile none summary
tarball 40 of 41 a1f992a08e
NEW 75ca0b4a8f [0] none:none
PolyEnE| none trace

T:19:21:00 Win2K-f 190.208.94.87 (-):
TELMEX CHILE S.A HFC,
SANTIAGO, REGION METROPOLITANA, CL. (DSL) n/a US:www.maxmind.com
US:getmyip.co.uk
:checkip.dyndns.org
DE:131.220.6.26:80 445 pcap raw alerts
ruleset http
7 lines Yeah : 0.8
profile none summary
tarball 3 of 37 d9cb288f31
NEW 45603a001c [0] ASM:Graph
UPX| lines=174
embedded dns trace

T:20:02:00 WinXP 75.43.212.91 (SBCGLOBAL.NET):
AT&T INTERNET SERVICES,
LOS ANGELES, CALIFORNIA, US. (DSL) n/a DE:siliconfireware.ru
US:searchportal.information.com
US:spi.domainsponsor.com
GB:welcome3.smile.co.uk
:wpad
GB:195.92.84.198:80 445 pcap raw alerts
ruleset http
http
http
24 lines Yeah : 0.8
profile none summary
tarball 29 of 29 a12cab51ef
NEW none[0] none:none
ASPack| lines=281
embedded dns trace

T:21:04:00 WinXP 60.249.198.98 (HINET.NET):
CHUNGHWA TELECOM DATA COMMUNICATION BUSINESS GROUP,
TAIPEI, T'AI-PEI, TW. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
110 lines Yeah : 1.3
profile none summary
tarball 40 of 41
39 of 41 4640a4ccd3
NEW
518025c884
NEW 9d9f2a02f5 [0]
e811756e2b[0] none:none
none:none
tElock|
Armadillo| none
none trace
trace

T:21:10:00 WinXP 68.149.137.51 (SHAWCABLE.NET):
SHAW COMMUNICATIONS INC,
EDMONTON, ALBERTA, CA. (DSL) n/a 135 pcap raw alerts
ruleset other
1008 lines Yeah : 1.3
profile none summary
tarball 31 of 41 682a384fe9
NEW none[3] none:none
none|none none trace

T:21:22:00 WinXP 98.141.162.1 (CAVTEL.NET):
CAVALIER TELEPHONE,
PHILADELPHIA, PENNSYLVANIA, US. (DSL) n/a 135 pcap raw alerts
ruleset other
18 lines Yeah : 1.3
profile none summary
tarball none none none none none none none

T:22:24:00 WinXP 114.48.103.189 (E-MOBILE.NE.JP):
EMOBILE LTD,
TOKYO, TOKYO, JP. (DSL) n/a 445 pcap raw alerts
ruleset shell
ftp
14 lines Yeah : 1.3
profile none summary
tarball 37 of 40 5285741560
NEW 60590b8b67 [0] ASM:Graph
none|none lines=59 trace

T:22:43:00 WinXP 71.116.212.170 (VERIZON.NET):
VERIZON INTERNET SERVICES INC,
LOS ANGELES, CALIFORNIA, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
79 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 33 53bfe15e91
NEW
a08f3b74a4
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:23:05:00 Win2K-f 63.17.57.2 (UU.NET):
UUNET TECHNOLOGIES INC,
ARLINGTON, WASHINGTON, US. (DSL) n/a US:microsoft.com 135 pcap raw alerts
ruleset other
75 lines Yeah : 1.3
profile none summary
tarball 33 of 33
0 of 32 53bfe15e91
NEW
73f1082158
NEW 1473091351 [0]
none [0] ASM:Graph
none:none
tElock|
Armadillo| lines=75
embedded dns
lines=90 trace
trace

T:23:21:00 Win2K-f 114.203.127.104 (-):
HANARO TELECOM,
SEOUL, SEOUL-T'UKPYOLSI, KR. (DSL) 218.93.205.30:65520 CN:proxima.ircgalaxy.pl
US:microsoft.com
EU:gidromash.cn
EU:ottopay.cn
US:64.235.53.208:80 135 pcap raw alerts
ruleset irc
http
174 lines Yeah : 1.8
profile none summary
tarball 31 of 33
24 of 33
7 of 41 6e2eaa0359
NEW
740e3bffe0
NEW
c7830331fc
NEW none[4]
421938c984[0]
7953649664[0] none:none
none:none
none:none
PolyEnE|
Armadillo|
tElock| none
none
none trace
trace
trace

T:23:38:00 Win2K-f 114.149.205.81 (OCN.NE.JP):
OPEN COMPUTER NETWORK,
JP. (DSL) 218.93.205.30:65520 91.212.220.75:65520 CN:proxima.ircgalaxy.pl
EU:gidromash.cn
EU:ottopay.cn
US:64.235.53.208:80 445 pcap raw alerts
ruleset irc
http
17 lines Yeah : 0.8
profile none summary
tarball 7 of 41 c7830331fc
NEW 7953649664 [0] none:none
tElock| none trace